iOS Route - Ping But Not SSH LAN Devices ?

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
HeyRob
OpenVpn Newbie
Posts: 2
Joined: Sun Feb 02, 2020 1:25 pm

iOS Route - Ping But Not SSH LAN Devices ?

Post by HeyRob » Sun Feb 02, 2020 1:36 pm

Hello All,

I recently switched from Android to Apple, and am having issues with a particular ovpn profile that I would like to route ONLY (10.0.0.0 255.255.255.0) ovpn server LAN... On Android, the following server/client config works perfectly... I could ping, SSH, etc. any device on the 10.0.0.0 network. On iOS, I can only ping LAN devices on 10.0.0.0, and all SSH connections fail. It's the weirdest thing.

Server:

Server config

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/os_4f1e607b-8e41-4f87-acd5-175baa21cef1.crt
key /etc/openvpn/easy-rsa/pki/private/os_4f1e607b-8e41-4f87-acd5-175baa21cef1.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.0.0.100"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3



Client:
Client config

client
dev tun
proto udp
remote server port
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name os_4f1e607b-8e41-4f87-acd5-175baa21cef1 name
cipher AES-256-CBC
auth SHA256
auth-nocache
route-nopull
route 10.0.0.0 255.255.255.0
verb 3
<ca>



OVPN Client Logs:

Code: Select all

2020-02-02 08:43:02 1

2020-02-02 08:43:02 ----- OpenVPN Start -----
OpenVPN core 3.git::2ae73415 ios arm64 64-bit PT_PROXY built on Dec  2 2019 14:44:28

2020-02-02 08:43:02 OpenVPN core 3.git::2ae73415 ios arm64 64-bit PT_PROXY built on Dec  2 2019 14:44:28

2020-02-02 08:43:02 Frame=512/2048/512 mssfix-ctrl=1250

2020-02-02 08:43:02 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
10 [verify-x509-name] [DietPi_4f1e607b-8e41-4f87-acd5-175baa21cef1] [name] 
13 [auth-nocache] 
16 [verb] [3] 

2020-02-02 08:43:02 EVENT: RESOLVE

2020-02-02 08:43:02 Contacting [2607:7700:0:2f:0:1:498b:d57f]:1194/UDP via UDP

2020-02-02 08:43:02 EVENT: WAIT

2020-02-02 08:43:02 Connecting to [hostname]:1194 (2607:7700:0:2f:0:1:498b:d57f) via UDPv6

2020-02-02 08:43:02 EVENT: CONNECTING

2020-02-02 08:43:02 Tunnel Options:V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client

2020-02-02 08:43:02 Creds: UsernameEmpty/PasswordEmpty

2020-02-02 08:43:02 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.1.1-2819
IV_VER=3.git::2ae73415
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_IPv6=0
IV_AUTO_SESS=1


2020-02-02 08:43:02 VERIFY OK : depth=1
cert. version     : 3
serial number     : 5B:8D:DB:C0:AE:8B:45:A7:45:21:C5:1A:3F:8F:78:6C:CD:4F:BD:A8
issuer name       : CN=ChangeMe
subject name      : CN=ChangeMe
issued  on        : 2019-10-24 21:40:06
expires on        : 2029-10-21 21:40:06
signed using      : ECDSA with SHA256
EC key size       : 256 bits
basic constraints : CA=true
key usage         : Key Cert Sign, CRL Sign


2020-02-02 08:43:02 VERIFY OK : depth=0
cert. version     : 3
serial number     : F2:1F:87:A0:A0:9D:AF:A8:01:C7:9E:7D:F5:8A:41:F6
issuer name       : CN=ChangeMe
subject name      : CN=DietPi_4f1e607b-8e41-4f87-acd5-175baa21cef1
issued  on        : 2019-10-24 21:40:06
expires on        : 2029-10-21 21:40:06
signed using      : ECDSA with SHA256
EC key size       : 256 bits
basic constraints : CA=false
subject alt name  : DietPi_4f1e607b-8e41-4f87-acd5-175baa21cef1
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication


2020-02-02 08:43:02 SSL Handshake: TLSv1.2/TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

2020-02-02 08:43:02 Session is ACTIVE

2020-02-02 08:43:02 EVENT: GET_CONFIG

2020-02-02 08:43:02 Sending PUSH_REQUEST to server...

2020-02-02 08:43:03 Ignored due to route-nopull: [dhcp-option] [DNS] [10.0.0.100] 

2020-02-02 08:43:03 Ignored due to route-nopull: [redirect-gateway] [def1] 

2020-02-02 08:43:03 OPTIONS:
0 [route] [10.0.0.0] [255.255.255.0] 
1 [block-outside-dns] 
2 [route-gateway] [10.8.0.1] 
3 [topology] [subnet] 
4 [ping] [1800] 
5 [ping-restart] [3600] 
6 [ifconfig] [10.8.0.2] [255.255.255.0] 
7 [peer-id] [0] 
8 [cipher] [AES-256-GCM] 
9 [block-ipv6] 


2020-02-02 08:43:03 PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA256
  compress: NONE
  peer ID: 0

2020-02-02 08:43:03 EVENT: ASSIGN_IP

2020-02-02 08:43:03 NIP: preparing TUN network settings

2020-02-02 08:43:03 NIP: init TUN network settings with endpoint: 2607:7700:0:2f:0:1:498b:d57f

2020-02-02 08:43:03 NIP: adding IPv4 address to network settings 10.8.0.2/255.255.255.0

2020-02-02 08:43:03 NIP: adding (included) IPv4 route 10.8.0.0/24

2020-02-02 08:43:03 NIP: adding (included) IPv4 route 10.0.0.0/24

2020-02-02 08:43:03 NIP: blocking all IPv6 traffic

2020-02-02 08:43:03 Connected via NetworkExtensionTUN

2020-02-02 08:43:03 EVENT: CONNECTED hostname via /UDPv6 on NetworkExtensionTUN/10.8.0.2/ gw=[/]

2020-02-02 08:43:10 EVENT: DISCONNECTED



As I said, I can ping devices on my LAN network (10.0.0.0), but cannot SSH them. I have also reviewed SSHd logs on LAN hosts.. there are no connection attempts arriving to the SSH daemon's. I can also successfully route all of my traffic through VPN, as well as connect via SSH to LAN devices, if I do not use route-nopull in client config. Any help would be greatly appreciated!
Last edited by Pippin on Mon Feb 03, 2020 2:43 pm, edited 1 time in total.
Reason: Formatting
Top
User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: iOS Route - Ping But Not SSH LAN Devices ?

Post by Pippin » Sun Feb 02, 2020 2:00 pm

Take a look at –pull-filter accept|ignore|reject instead of –route-nopull in manual 2.4:
https://openvpn.net/community-resources ... envpn-2-4/
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Top
HeyRob
OpenVpn Newbie
Posts: 2
Joined: Sun Feb 02, 2020 1:25 pm

Re: iOS Route - Ping But Not SSH LAN Devices ?

Post by HeyRob » Sun Feb 02, 2020 2:06 pm

Thanks for the suggestion Pippin. Related to the issue above, how would I use -pull-filter to alter the behavior to allow SSH to devices on the 10.0.0.0 network (of which I can already ping?). Thank you again!
Top
User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: iOS Route - Ping But Not SSH LAN Devices ?

Post by Pippin » Mon Feb 03, 2020 2:56 pm

–route-nopull filters more then probably wanted, see after push request in your client log.

Remove –route-nopull, connect and take a look at the client log after it sends the push request.
Then use –pull-filter to ignore the options you do not want.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Top
Post Reply

Return to “OpenVPN Connect (iOS)”